Before we get started with the updates for Red Hat Enterprise Linux 7.8, we recommend taking a serious look at moving to Red Hat Enterprise Linux 8. RHEL 7 is now in Maintenance Support and will no longer receive newer versions of container tools. Users who need access to the latest versions of Podman, Buildah and Skopeo, should move to RHEL 8 where the container-tools module is updated once a quarter. For those of you required to use containers on RHEL 7, this post will provide you a strategic and technical update.
Red Hat understands that many customers cannot upgrade immediately. So, similar to our update of container tools in RHEL 7.7, we have released one final update to the container tools provided in RHEL 7.8. Here’s a quick summary:
Rootless containers are now Generally Available and fully supported in RHEL Server and RHEL Workstation (release notes)
Major updates to container tools: Podman 1.6.4, Buildah 1.11.6 and Skopeo 0.1.41 (release notes)
Updated container images (release notes)
Rootless Containers Generally Available (GA)
Users of RHEL 7.8 can now use Podman 1.6.4 to find, run, build and share containers as regular users (also called rootless). This builds on the work we did in RHEL 7.7 (Three New Container Capabilities in Red Hat Enterprise Linux 7.7) as well as RHEL 7.6 (A preview of running containers without root in RHEL 7.6).
The new rootless feature can be used with a fresh installation of RHEL 7.8 or by upgrading from RHEL 7.7. When doing a fresh install, just add a new user ID and the new version of the shadow-utils package will take care of everything (
/etc/subgid entries). With an upgrade from RHEL 7.6 or older, you will need to add the UID/GID mappings for existing users. For more detailed information, follow the Managing Containers guide in the RHEL 7 documentation.
This GA version of rootless containers in RHEL 7.8 uses fuse-overlay by default. With fuse-overlay container images are mounted more quickly, resulting in faster startup times for running containers. Overlay is also the most tested graph driver upstream and offers users the all around best experience.
While the tech preview of rootless containers RHEL 7.7 used the VFS driver (no fuse-overlay support). This had the trade-off using a lot more disk space for slightly better runtime performance. While the VFS driver is still available for users in RHEL 7.8, Red Hat strongly recommends using fuse-overlay with bind mounts (instead of VFS) for any data requiring native throughput performance.
The containers team wants to thank the kernel and file system teams for their work back porting this into the RHEL 3.10 kernel, enabling customers who can’t move from RHEL 7 just yet.
Updates to Container Tools
Also with RHEL 7.8, we are excited to announce a final major update to the container tools provided in the Extras channel. This includes stable versions of Podman 1.6.4, Buildah 1.11.6, and Skopeo 0.1.40. These versions were specifically chosen to be in line with the versions released in RHEL 8.2, making it easier to move to RHEL 8.
Here’s a short list of some interesting new features:
Initial support for the CNI DNS plugin, which allows containers to resolve the IPs of other containers via DNS name, has been added.
Podman now supports anonymous named volumes, created by specifying only a destination to the
-vflag to the
podman infocommand, when run without root, now shows information on UID and GID mappings in the rootless user namespace.
podman build --squash-allflag, which squashes all layers (including those of the base image) into one layer.
podman network create,
podman network rm,
podman network inspect, and
podman network lscommands have been added to manage CNI networks used by Podman.
podman volume createcommand can now create and mount volumes with options, allowing volumes backed by NFS, tmpfs, and many other filesystems.
Rootless Podman can experimentally squash all UIDs and GIDs in an image to a single UID and GID (which does not require use of the newuidmap and newgidmap executables) by passing
Rootless Podman containers with
--privilegedset will now mount in all host devices that the user can access.
Rootless Podman now supports health checks (#3523).
An Eye Towards RHEL 8
Users thinking about moving to RHEL 8, should think through two major areas - container tools and container images.
This is planned to be the final release of RHEL 7 with major new features in the container tools software stack. This means Podman will not be updated beyond 1.6.4, Buildah will not be updated beyond 1.11.6, and Skopeo will not be updated beyond 0.1.41. These versions were specifically chosen for stability because they are to be supported until the end of life for RHEL 7.
They were also chosen to be the same versions as RHEL 8.2. This makes it easier for users to move to RHEL 8 with confidence. For more information on tools available versions and support options, please see the Container Tools AppStream - Content Availability page.
Users who rely on the docker or atomic command in RHEL 7 should look to migrate their applications to Podman, Buildah and Skopeo in RHEL 8. Neither command (docker and atomic) are included nor supported in RHEL 8. The versions of the docker and atomic commands in RHEL 7 will continue to receive security updates, but will not be refreshed beyond docker 1.13 and atomic 1.22.1. For more information on moving to Podman, Buildah and Skope in RHEL 8, please see our guide: Building, running, and managing containers.
If you are still using applications based on RHEL / UBI 7, or even RHEL 6, container images, it’s important to remember that most workloads can be migrated to RHEL 8 simply by running them on a RHEL 8 container host.
The general guidance is:
If you are using an unprivileged container (doesn’t need the
--privilegedflag), it will likely run fine on a newer container host.
Older applications on older container images almost always work on newer container hosts.
Newer container images running on older container hosts may try to use APIs which don’t exist on older hosts. This is compounded if running privileged and accessing APIs outside of the syscall layer.
For a deeper dive with some examples of what will and won’t work, please see Container Compatibility guide.
For future releases of container tools, stay tuned to RHEL 8 where our future development will happen.
About the author
At Red Hat, Scott McCarty is Senior Principal Product Manager for RHEL Server, arguably the largest open source software business in the world. Focus areas include cloud, containers, workload expansion, and automation. Working closely with customers, partners, engineering teams, sales, marketing, other product teams, and even in the community, he combines personal experience with customer and partner feedback to enhance and tailor strategic capabilities in Red Hat Enterprise Linux.
McCarty is a social media start-up veteran, an e-commerce old timer, and a weathered government research technologist, with experience across a variety of companies and organizations, from seven person startups to 20,000 employee technology companies. This has culminated in a unique perspective on open source software development, delivery, and maintenance.